Critical flaw in Wordpress plugin lets hackers takeover Hosting Account

Critical flaw in Wordpress plugin lets hackers takeover Hosting Account

Attackers can exploit a maximum severity vulnerability in the wpDiscuz plugin installed on over 70,000 WordPress sites to execute code remotely after uploading arbitrary files on servers hosting vulnerable websites.

wpDiscuz is a WordPress plugin marketed as an alternative to Jetpack Comments and Disqus that provides an Ajax real-time comment system that will store comments within a local database. This plugin comes with the support for multiple comment layouts, inline commenting and feedback, as well as a post rating system and multi-level (nested) comment threads.

Arbitrary file upload flaw leading to site takeovers

The flaw was reported to wpDiscuz's developers by Wordfence Threat Intelligence team on 19 June 2020 and was fully patched with the release of version 7.0.5 on 23 July 2020 after a failed attempt to fix the flaw in version 7.0.4.

According to Chloe Chamberland (Threat Analyst at Wordfence), this security flaw is rated as critical severity with a CVSS base score of 10/10. While wpDiscuz plugin was designed to only allow using image attachments, the file mime type detection functions included in unpatched versions of the plugin and used to verify file types fail to block users from uploading arbitrary code files like PHP files.

Critical flaw in Wordpress plugin lets hackers takeover Hosting Account
Source: Wordfence (Function used to verify allowed file types)

Once uploaded to a vulnerable website's hosting server, an attacker would get the file path location with the request's response making it easy to trigger file execution on the server and achieving remote code execution (RCE).

Chloe Chamberland said that If exploited, this flaw could allow an attacker to execute commands on the vulnerable server and traverse your hosting account to further infect any websites hosted in the account with malicious code. She also added that this would effectively give the threat actor complete control over every website on your server.

Over 45,000 still vulnerable to attacks

While wpDiscuz 7.0.5, the version containing a fix for this maximum severity RCE flaw, was released on 23 July 2020, the plugin only had just over 25,000 downloads during the last week, including both latest updates and new installs.

This translates into at least 45,000 WordPress websites with active wpDiscuz installations still potentially left exposed to takeover attacks if attackers decide to start exploiting this flaw as part of future campaigns.

wpDiscuz users are urged to immediately update the plugin to the latest release to block potential attacks aiming to take over their hosting accounts since attackers regularly use known WordPress plugin flaws to takeover or wipe websites.

Critical flaw in Wordpress plugin lets hackers takeover Hosting Account
Source:  Wordpress (wpDiscuz download history)

For instance, last month, Wordfence reported a large number of attacks targeting hundreds of thousands of WordPress websites over the course of 24 hours, trying to collect database credentials by stealing configuration files after exploiting known Cross Site Scripting vulnerabilities found in WordPress plugins and themes.

Ram Gall (QA engineer and Threat Analyst at Wordfence) said that between 29 May 2020 and 31 May 2020, the Wordfence Firewall blocked over 130 million attacks intended to harvest database credentials from 1.3 million websites by downloading their config files.

Does this article being helpful to you? Let us know your thoughts in the comments section and share it with us on Facebook, Twitter, or our LinkedIn Group.


Previous Post Next Post